WriteupsHTB — Code
WebEasyLinux
HTB — Code
Python code sandbox escape via restricted eval bypass reads SSH keys. Root via path traversal in the backy backup tool.
March 29, 2025HackTheBox
#Python#Sandbox Escape#eval#Path Traversal
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.62
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-23 00:34 EDT
Nmap scan report for 10.10.11.62
Host is up (0.022s latency).
Not shown: 65354 closed tcp ports (reset), 179 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b5:b9:7c:c4:50:32:95:bc:c2:65:17:df:51:a2:7a:bd (RSA)
| 256 94:b5:25:54:9b:68:af:be:40:e1:1d:a8:6b:85:0d:01 (ECDSA)
|_ 256 12:8c:dc:97:ad:86:00:b4:88:e2:29:cf:69:b5:65:96 (ED25519)
5000/tcp open http Gunicorn 20.0.4
|_http-title: Python Code Editor
|_http-server-header: gunicorn/20.0.4
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=3/23%OT=22%CT=1%CU=32707%PV=Y%DS=2%DC=T%G=Y%TM=67DF
OS:8F7D%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)
OS:OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53C
OS:ST11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
OS:ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%
OS:F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T
OS:5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=
OS:Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF
OS:=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40
OS:%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 22.41 ms 10.10.14.1
2 22.58 ms 10.10.11.62
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.34 seconds
5000
sh
5000/tcp open http Gunicorn 20.0.4
|_http-title: Python Code Editor
|_http-server-header: gunicorn/20.0.4
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).Up next
EasyMay 2025
HTB — Puppy
AD enumeration with BloodHound reveals a password reset path. HR share credential reuse and GenericWrite abuse to reach Domain Admin.
Read writeup
EasyMay 2025
HTB — Nocturnal
ISP file manager path traversal leaks app config with credentials. ISPConfig adduser API abuse leads to root.
Read writeup
EasyMay 2025
HTB — Fluffy
CVE-2025-24071 abuses .searchConnector-ms files to capture NTLMv2 hashes. Relay attack and ADCS ESC4 escalate to Domain Admin.
Read writeup